Certbot not working with CentOS 6

yes, thanks very much for the help. [root@test-devserver1-2 conf.d]# openssl x509 -text -in /etc/pki/tls/certs/domain.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:67:ca:93:70:6d:a1:06:e3:fe:06:f4:62:be:13:a4:a8:65
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Oct 25 14:08:09 2017 GMT
Not After : Jan 23 14:08:09 2018 GMT
Subject: CN=corp.appvision.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d7:eb:2d:96:5f:7f:5b:45:55:2b:b0:51:74:5f:
be:51:d2:bc:d4:2a:9a:1f:d6:ec:f3:43:b5:4e:26:
1f:f5:3b:e3:ce:53:81:4c:eb:51:28:0d:9f:6d:72:
3a:8d:90:04:0a:8e:de:3e:7e:e0:c3:43:22:69:da:
b6:eb:5e:fc:1c:e6:bc:ae:60:01:6f:cc:bc:a8:7e:
2d:27:b6:2c:6a:d9:bd:c1:4b:6b:4a:3a:0e:0b:c4:
9e:40:0d:84:34:f5:d4:c6:59:9a:98:52:ce:f1:86:
a4:f6:6a:18:ed:16:62:cb:4b:76:10:92:6b:d5:19:
1c:e7:59:b2:71:04:5c:f4:07:8b:62:63:e8:7c:1a:
a3:b9:0a:b8:dd:bf:1f:af:80:06:56:76:d7:ef:7e:
41:b2:35:04:b5:74:63:5b:ea:ea:66:15:99:d7:54:
83:52:4b:9d:7b:4d:94:38:40:a3:14:e8:cd:44:26:
5d:c0:3b:6d:af:38:29:1a:8d:4c:d5:49:fe:6b:68:
6f:63:11:b5:ab:2c:7d:e2:6e:67:d4:52:a0:6d:b3:
00:f3:84:dc:85:33:ea:da:f3:dc:03:df:69:ad:49:
39:c0:72:a6:42:35:51:7c:b2:95:fb:5a:ab:46:33:
e3:31:27:93:80:f3:a5:ce:1d:bb:8c:ce:cb:b9:8c:
37:c2:33:08:5c:3d:41:b5:16:67:7c:af:5a:22:76:
67:55:3a:af:b1:23:9c:91:c7:0e:ac:df:54:ec:28:
a4:26:27:32:e2:aa:96:04:f4:cf:45:af:06:86:72:
01:c2:a8:0f:5d:4f:8d:34:72:16:68:ce:81:e7:62:
d9:64:9a:90:80:61:7b:2d:f6:53:7a:68:2a:2c:7a:
fd:b9:44:2b:dd:d0:28:ea:1d:06:a5:81:6a:1b:fc:
9c:aa:d7:46:c7:8e:a9:04:02:6f:68:11:72:27:0d:
ac:cd:89:4b:6d:cc:22:dd:5a:86:f3:db:7a:cb:25:
0c:85:a7:04:a8:25:e7:fc:2f:54:53:2d:b6:5a:3c:
15:39:2f:7a:fd:88:83:fc:4c:0e:9d:47:f0:0e:a5:
bc:7a:e5:d1:f7:cd:d0:5a:48:11:2e:a8:bf:38:d2:
55:64:f1:3f:bb:dd:b6:55:ff:9c:88:f1:14:3b:e2:
96:c3:5e:5b:92:5d:72:01:f9:26:1e:8e:6f:59:2d:
3b:38:c3:e0:71:bf:78:a7:b8:1d:4c:91:50:51:f5:
8c:ff:36:7f:0f:c7:e7:ee:2d:61:ee:7d:16:1d:5b:
46:f3:04:0d:7e:73:84:b8:20:cd:f7:69:f5:e5:39:
98:79:ee:4b:70:ca:26:c0:1f:5e:b6:95:0f:ec:6f:
9c:71:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
ED:02:82:30:99:28:B1:1E:F2:A4:05:48:D4:E9:9F:94:E9:50:0B:D9
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

        Authority Information Access:
            OCSP - URI:http://ocsp.int-x3.letsencrypt.org
            CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

        X509v3 Subject Alternative Name:
            DNS:corp.appvision.net
        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org
              User Notice:
                Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

Signature Algorithm: sha256WithRSAEncryption
     42:f1:58:0d:2a:79:59:87:d2:44:90:9b:55:3e:a5:b6:09:61:
     7b:31:ab:d9:0c:fe:56:66:74:99:54:1b:56:df:d2:e2:a4:56:
     74:3b:09:d2:cd:a2:ba:f2:51:ff:1f:51:ff:aa:a5:24:0f:d9:
     ec:5c:46:cf:9e:47:f1:a4:60:48:c9:fe:d4:b4:b2:54:e5:a4:
     df:72:e4:fe:da:00:b7:6a:b3:10:30:db:05:6e:0b:da:5a:cd:
     1b:1b:00:96:37:ff:05:af:89:2c:47:fd:10:fe:bb:7c:eb:a8:
     d8:33:41:fa:21:70:22:ce:c0:d4:82:3b:03:7c:63:9d:b2:6e:
     68:53:77:58:9a:fc:9f:a3:d9:11:a6:2e:33:88:14:55:f6:35:
     f2:d5:53:3b:84:bb:da:95:06:3a:d1:e7:65:77:12:ba:dd:81:
     e8:c9:84:39:b1:0f:17:be:86:4f:6f:63:78:92:ac:86:c8:b1:
     c7:be:fb:fd:a1:71:ad:82:7a:04:5e:cd:a5:d5:41:0c:1d:12:
     1b:2e:89:c1:ea:8a:b0:d0:8f:3a:61:12:9d:88:6b:9e:bf:12:
     03:fa:51:93:05:3a:9b:bc:82:b8:49:8d:fb:e5:10:f9:46:85:
     60:df:8d:b0:d0:fe:7a:ea:7d:0f:ce:07:af:40:ec:1b:64:57:
     52:b5:d2:8e

So is there a way to get certbot to just add the other domain to the existing cert? Or possibly do it manually.

You can’t technically “change” an existing cert, but you should be able to replace it with an expanded one.

I think this is the root of your problem:

_default_ VirtualHost overlap on port 443, the first has precedence

normally this means you defined multiple VirtualHosts on the same port without using NameVirtualHost. But you added NameVirtualHost *:443 and it didn’t help. Maybe you added it in the wrong place? Could you try putting it at the top of /etc/httpd/conf.d/ssl.conf? I don’t know if that makes a difference…

If that doesn’t help, you could try another method, such as the --webroot plugin that _az suggested earlier. But tbh I think you’ll continue to have problems until you fix that virtualhost overlap one way or the other.

So i put the NameVirtualHost at the top just below the line where it says to Listen on 443 and then reran the certbot-auto --apache command :

[root@test-devserver1-2 ragediver24]# ./certbot-auto --apache
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: corp.appvision.net
2: support.appvision.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for support.appvision.net
Error while running apachectl graceful.
httpd not running, trying to start

[Tue Dec 19 21:00:20 2017] [warn] module deflate_module is already loaded, skipping
Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist

Cleaning up challenges
Error while running apachectl graceful.
httpd not running, trying to start

[Tue Dec 19 21:00:21 2017] [warn] module deflate_module is already loaded, skipping

Encountered exception during recovery
Error while running apachectl graceful.
httpd not running, trying to start

[Tue Dec 19 21:00:21 2017] [warn] module deflate_module is already loaded, skipping
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/lib/python2.6/site-packages/certbot/error_handler.py", line 100, in _call_registered
self.funcs-1
File "/opt/eff.org/certbot/venv/lib/python2.6/site-packages/certbot/auth_handler.py", line 284, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/opt/eff.org/certbot/venv/lib/python2.6/site-packages/certbot_apache/configurator.py", line 1904, in cleanup
self.restart()
File "/opt/eff.org/certbot/venv/lib/python2.6/site-packages/certbot_apache/configurator.py", line 1793, in restart
self._reload()
File "/opt/eff.org/certbot/venv/lib/python2.6/site-packages/certbot_apache/configurator.py", line 1804, in _reload
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running apachectl graceful.
httpd not running, trying to start

[Tue Dec 19 21:00:21 2017] [warn] module deflate_module is already loaded, skipping

Error while running apachectl graceful.
httpd not running, trying to start

[Tue Dec 19 21:00:20 2017] [warn] module deflate_module is already loaded, skipping
Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist

This turns up a few times. Are you able to start Apache manually? If not, what error do you get?

[root@test-devserver1-2 ragediver24]# cat /var/log/httpd/error_log
[Sun Dec 17 03:35:55 2017] [notice] Digest: generating secret for digest authentication …
[Sun Dec 17 03:35:55 2017] [notice] Digest: done
[Sun Dec 17 03:35:55 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured – resuming normal operations
[Sun Dec 17 13:10:17 2017] [error] [client 141.212.122.96] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /x
[Mon Dec 18 15:35:05 2017] [notice] caught SIGTERM, shutting down
[Mon Dec 18 15:37:24 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Dec 18 15:37:24 2017] [warn] module deflate_module is already loaded, skipping
[Mon Dec 18 15:37:25 2017] [notice] Digest: generating secret for digest authentication …
[Mon Dec 18 15:37:25 2017] [notice] Digest: done
[Mon Dec 18 15:37:27 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured – resuming normal operations
[Mon Dec 18 15:50:06 2017] [error] [client 85.105.252.55] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Mon Dec 18 16:17:05 2017] [notice] Graceful restart requested, doing restart
[Mon Dec 18 16:17:05 2017] [warn] module deflate_module is already loaded, skipping
Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
[Mon Dec 18 16:17:06 2017] [notice] Digest: generating secret for digest authentication …
[Mon Dec 18 16:17:06 2017] [notice] Digest: done
[Mon Dec 18 16:17:06 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Dec 18 16:17:06 2017] [warn] RSA server certificate CommonName (CN) dummy' does NOT match server name!? [Mon Dec 18 16:17:06 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Dec 18 16:17:06 2017] [warn] RSA server certificate CommonName (CN)dummy’ does NOT match server name!?
[Mon Dec 18 16:17:06 2017] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Dec 18 16:17:06 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured – resuming normal operations
[Mon Dec 18 16:17:18 2017] [notice] Graceful restart requested, doing restart
[Mon Dec 18 16:17:18 2017] [warn] module deflate_module is already loaded, skipping
[Mon Dec 18 16:17:19 2017] [notice] Digest: generating secret for digest authentication …
[Mon Dec 18 16:17:19 2017] [notice] Digest: done
[Mon Dec 18 16:17:19 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured – resuming normal operations
[Mon Dec 18 19:41:06 2017] [notice] Graceful restart requested, doing restart
[Mon Dec 18 19:41:06 2017] [warn] module deflate_module is already loaded, skipping
Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
[Mon Dec 18 19:41:07 2017] [notice] Digest: generating secret for digest authentication …
[Mon Dec 18 19:41:07 2017] [notice] Digest: done
[Mon Dec 18 19:41:07 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Dec 18 19:41:07 2017] [warn] RSA server certificate CommonName (CN) dummy' does NOT match server name!? [Mon Dec 18 19:41:07 2017] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Mon Dec 18 19:41:07 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations [Mon Dec 18 19:41:13 2017] [notice] Graceful restart requested, doing restart [Mon Dec 18 19:41:13 2017] [warn] module deflate_module is already loaded, skipping [Mon Dec 18 19:41:14 2017] [notice] Digest: generating secret for digest authentication ... [Mon Dec 18 19:41:14 2017] [notice] Digest: done [Mon Dec 18 19:41:14 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations [Mon Dec 18 20:56:57 2017] [notice] caught SIGTERM, shutting down [Mon Dec 18 20:57:26 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Dec 18 20:57:26 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Dec 18 20:57:26 2017] [warn] RSA server certificate CommonName (CN)dummy’ does NOT match server name!?
[Mon Dec 18 20:57:26 2017] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Dec 18 20:57:26 2017] [warn] module deflate_module is already loaded, skipping
[Mon Dec 18 20:57:27 2017] [notice] Digest: generating secret for digest authentication …
[Mon Dec 18 20:57:27 2017] [notice] Digest: done
[Mon Dec 18 20:57:27 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Dec 18 20:57:27 2017] [warn] RSA server certificate CommonName (CN) dummy' does NOT match server name!? [Mon Dec 18 20:57:27 2017] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Mon Dec 18 20:57:27 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations [Mon Dec 18 20:57:33 2017] [notice] Graceful restart requested, doing restart [Mon Dec 18 20:57:33 2017] [warn] module deflate_module is already loaded, skipping [Mon Dec 18 20:57:34 2017] [notice] Digest: generating secret for digest authentication ... [Mon Dec 18 20:57:34 2017] [notice] Digest: done [Mon Dec 18 20:57:34 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations [Mon Dec 18 20:57:57 2017] [notice] Graceful restart requested, doing restart [Mon Dec 18 20:57:57 2017] [warn] module deflate_module is already loaded, skipping Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist [Mon Dec 18 20:57:58 2017] [notice] Digest: generating secret for digest authentication ... [Mon Dec 18 20:57:58 2017] [notice] Digest: done [Mon Dec 18 20:57:58 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Dec 18 20:57:58 2017] [warn] RSA server certificate CommonName (CN)dummy’ does NOT match server name!?
[Mon Dec 18 20:57:58 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Dec 18 20:57:58 2017] [warn] RSA server certificate CommonName (CN) dummy' does NOT match server name!? [Mon Dec 18 20:57:58 2017] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Mon Dec 18 20:57:58 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations [Mon Dec 18 20:58:05 2017] [notice] Graceful restart requested, doing restart [Mon Dec 18 20:58:05 2017] [warn] module deflate_module is already loaded, skipping [Mon Dec 18 20:58:06 2017] [notice] Digest: generating secret for digest authentication ... [Mon Dec 18 20:58:06 2017] [notice] Digest: done [Mon Dec 18 20:58:06 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations [Mon Dec 18 21:46:03 2017] [notice] Graceful restart requested, doing restart [Mon Dec 18 21:46:04 2017] [warn] module deflate_module is already loaded, skipping Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist [Mon Dec 18 21:46:04 2017] [notice] Digest: generating secret for digest authentication ... [Mon Dec 18 21:46:04 2017] [notice] Digest: done [Mon Dec 18 21:46:04 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Dec 18 21:46:04 2017] [warn] RSA server certificate CommonName (CN)dummy’ does NOT match server name!?
[Mon Dec 18 21:46:04 2017] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Dec 18 21:46:04 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured – resuming normal operations
[Mon Dec 18 21:46:10 2017] [notice] Graceful restart requested, doing restart
[Mon Dec 18 21:46:10 2017] [warn] module deflate_module is already loaded, skipping
[Mon Dec 18 21:46:10 2017] [warn] default VirtualHost overlap on port 443, the first has precedence
[Mon Dec 18 21:46:11 2017] [notice] Digest: generating secret for digest authentication …
[Mon Dec 18 21:46:11 2017] [notice] Digest: done
[Mon Dec 18 21:46:11 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured – resuming normal operations
[Mon Dec 18 22:05:21 2017] [notice] Graceful restart requested, doing restart
[Mon Dec 18 22:05:21 2017] [warn] module deflate_module is already loaded, skipping
Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
[Mon Dec 18 22:05:21 2017] [notice] Digest: generating secret for digest authentication …
[Mon Dec 18 22:05:21 2017] [notice] Digest: done
[Mon Dec 18 22:05:21 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Dec 18 22:05:21 2017] [warn] RSA server certificate CommonName (CN) `dummy’ does NOT match server name!?
[Mon Dec 18 22:05:21 2017] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Dec 18 22:05:21 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured – resuming normal operations
[Mon Dec 18 22:05:27 2017] [notice] Graceful restart requested, doing restart
[Mon Dec 18 22:05:28 2017] [warn] module deflate_module is already loaded, skipping
[Mon Dec 18 22:05:28 2017] [warn] default VirtualHost overlap on port 443, the first has precedence
[Mon Dec 18 22:05:28 2017] [notice] Digest: generating secret for digest authentication …
[Mon Dec 18 22:05:28 2017] [notice] Digest: done
[Mon Dec 18 22:05:28 2017] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.6.32 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured – resuming normal operations
[Tue Dec 19 13:43:04 2017] [notice] caught SIGTERM, shutting down
[Tue Dec 19 13:43:06 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 13:43:06 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 13:43:25 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 13:43:25 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 13:44:52 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 13:44:52 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 13:45:02 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 13:45:02 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 13:48:56 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 13:48:56 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 13:49:19 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 13:49:19 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 13:49:34 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 13:49:34 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 16:35:52 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 16:35:52 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 16:44:59 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 16:44:59 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 16:45:05 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 16:45:05 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 18:33:06 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 18:33:06 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 18:33:40 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 18:33:40 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 19:09:46 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 19:09:46 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 19:10:54 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 19:10:54 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 19:12:47 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 19:12:47 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 21:00:21 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 21:00:21 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 21:00:22 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 21:00:22 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 21:04:00 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 21:04:00 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Tue Dec 19 21:04:15 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 19 21:04:15 2017] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

Hmm. Maybe try removing or commenting out the entire <VirtualHost *:443> for the support subdomain.

(if that works, certbot should be able to automatically create a new working one for you)

the support subdomain is our help desk and needs to be accessible. What do you mean create a new one? A new domain, or a new cert?

I’m not suggesting to disable the subdomain, only the port 443 VirtualHost for it.

but wait… I’m confused. If you can’t start apache then how is your site working? Do you have multiple servers or something?

I’m doing this on a test vm in the cloud. i should have clarified that before. The reason I did this was to test out certbot on a nonproduction server

Ah. Okay, you understand you won’t be able to actually obtain a certificate with certbot until you run it on the server the domain is pointed at, right? (edit: well, you can if you use the --manual plugin, but that won’t be relevant to what you’re trying to test)

Also, while you’re testing like this on a test VM you should use --staging so that you don’t accidentally trigger the rate limits.

Anyway, back to getting Apache working: I suspect the reason it’s not is because you have a <VirtualHost *:443> in httpd.conf that doesn’t have a certificate configured. If you temporarily remove it or comment it out, I think that might allow Apache to start, which in turn should allow certbot to work. Once certbot is working you should be able to get a certificate (though you’ll need to use a domain name pointed at your test VM for it to actually work) and then you can put the virtualhost back in with the newly obtained certificate.

ok so i commented that out and fixed the httpd not starting error. Now what about proper command should i do ./certbot-auto --apache

Ordinarily, yes… but.

Just to clarify: you are not running this on the actual server that the domain support.appvision.net is pointed at, right?

In that case it won’t work. It will ask the CA to connect back to the domain to verify that you control it, and the CA will connect back to the domain and hit the live server - where certbot is not running and cannot complete the challenge!

If you want to try it anyway just to see what happens, add the --staging option so that the failure doesn’t count towards the failed validation limit of 5 failures per account, per hostname, per hour.

If you want to try something that should work, grab a free domain from somewhere like duckdns or noip, point it at your test VM, and change the ServerName to match. Then run ./certbot-auto --apache and it should give you a valid cert for that domain.

support.appvision.net domain is pointed to our load balancer. And we have the domain point to the loopback address in the config file. So that’s good to know theres a staging option. - The following errors were reported by the server:

Domain: corp.appvision.net
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
438df87d37b16e9a518ef067acde4d50.2adc74c558e67af4fe85266fbcd79f99.acme.invalid
from 104.197.131.45:443. Received 2 certificate(s), first
certificate had names “corp.appvision.net”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
[root@test-devserver1-2 ragediver24]#

Unfortunately, that doesn't help. Certbot isn't trying to connect to the domain. Certbot is asking Let's Encrypt, the certificate authority, to connect from their own infrastructure to your domain. They will never see your local hosts file nor care that it is pointed at the loopback address.

The error you got is expected in this case: the certificate authority looks up your domain in the public DNS, finds the IP address of your load balancer, and connects to that instead of your test VM.

So I have a new issue with my live server. I tested on CentOS 6 and exceeded my validations. Now it says I have to wait a week to fix the cert. Is there a workaround for the failed validations because my cert is set to expire in 6 days.

Also, this is the error I was getting before the validation problem:

HG SERVER CERTBOT INFO

First try failed:
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. my.appvision.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my.appvision.net/.well-known/acme-challenge/MaoCoAQq10haZZeKdiaaVjfEIC8sOq9FOzU208Yx_rk: "

HackGuard Professional

            <meta http-equiv="Content-Type" content="text/html; charset=iso-8859"

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: my.appvision.net
  Type: unauthorized
  Detail: Invalid response from
  http://my.appvision.net/.well-known/acme-challenge/MaoCoAQq10haZZeKdiaaVjfEIC8sOq9FOzU208Yx_rk:
  "
  
  HackGuard Professional

              <meta http-equiv="Content-Type" content="text/html;
  

  charset=iso-8859"

I think you might have misinterpreted the rate limits. The rate limit related to failed validation attempts resets after just one hour, not one week. Only rate limits related to issuing too many certificates require a week to reset.

You should be able to try again in an hour.

In this case apparently a tool called HackGuard is preventing incoming requests for this file from completing without a username and password. In order to proceed, you'll have to disable this configuration, at least for this particular file path—that is, files within /.well-known/acme-challenge/—so that they can be downloaded directly without any authentication.

so I do that somewhere in the httpd.conf file?

i apologize, I’m new to configuring apache on linux

That seems possible, but I’m not familiar with HackGuard so I don’t know where or how it’s configured. I’m guessing you didn’t deliberately choose to use it?